External LDAP for authentication
Hi All,
I want to use external ldap for authentication purpose with Access Manager.
I tried adding this external ldap as a secondary ldap but couldn�t succeed.
If I add this ldap in the primary ldap along with the AM�s own ldap, this also fails to authenticate users from the external ldap.
How can I achieve this?
I read many topics in this forum regarding this but none of them explain how it can be achieved.
Please suggest.
Thanks in advance.
This is what the amconsole log says:
ERROR: ConsoleServletBase.onUncaughtException
java.lang.NullPointerException
at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.constructFilter(LDAPv3Repo.java:3126)
at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.search(LDAPv3Repo.java:1996)
at com.iplanet.am.sdk.AMDirectoryManager.search(AMDirectoryManager.java:1938)
at com.sun.identity.idm.AMIdentityRepository.searchIdentities(AMIdentityRepository.java:221)
at com.sun.identity.console.idm.model.EntitiesModelImpl.getEntityNames(EntitiesModelImpl.java:139)
at com.sun.identity.console.idm.EntitiesViewBean.getEntityNames(EntitiesViewBean.java:222)
at com.sun.identity.console.idm.EntitiesViewBean.beginDisplay(EntitiesViewBean.java:177)
at com.iplanet.jato.taglib.UseViewBeanTag.doStartTag(UseViewBeanTag.java:149)
at jsps.console._idm._Entities_jsp._jspService(_Entities_jsp.java:86)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:107)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
at com.iplanet.ias.web.jsp.JspServlet$JspServletWrapper.service(JspServlet.java:687)
at com.iplanet.ias.web.jsp.JspServlet.serviceJspFile(JspServlet.java:459)
at com.iplanet.ias.web.jsp.JspServlet.service(JspServlet.java:375)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:772)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:471)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:382)
at com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:340)
at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:261)
at com.sun.identity.console.base.AMViewBeanBase.forwardTo(AMViewBeanBase.java:133)
at com.sun.identity.console.base.AMPrimaryMastHeadViewBean.forwardTo(AMPrimaryMastHeadViewBean.java:149)
at com.sun.identity.console.idm.HomeViewBean.forwardTo(HomeViewBean.java:109)
at com.sun.identity.console.realm.RealmPropertiesBase.nodeClicked(RealmPropertiesBase.java:90)
at com.sun.web.ui.view.tabs.CCTabs.handleTabHrefRequest(CCTabs.java:129)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute(DefaultRequestHandlingCommand.java:183)
at com.iplanet.jato.view.RequestHandlingViewBase.handleRequest(RequestHandlingViewBase.java:308)
at com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)
at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:740)
at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:760)
at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandler(ViewBeanBase.java:571)
at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:957)
at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
at com.iplanet.jato.ApplicationServletBase.doGet(ApplicationServletBase.java:459)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:787)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
at com.sun.mobile.filter.AMLController.doFilter(AMLController.java:163)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:213)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:280)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:212)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:209)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
at com.iplanet.ias.web.connector.nsapi.NSAPIProcessor.process(NSAPIProcessor.java:161)
at com.iplanet.ias.web.WebContainer.service(WebContainer.java:580)
Similar Messages
-
WLC connect LDAP for Authentication, but could not connect to server
Hi Everyone, I got a problem when I use WLC 5508 connect to LDAP for authentication, but no luck there, it's a simple config, but not easy to work on my job, I got the following messgae:
Service Port - Not connected
Distrubution port include:
Management Interface - in AP Management VLAN - 30
Student AP interface - in Student VLAN - 20
Staff AP interface - in Staff VLAN - 10
AD is in Staff VLAN - 10
WLC LDAP Server setting
Base DN:OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk
User Attribute: sAMAccountName
User Object Type: Person
Debug aaa all enable message
*LDAP DB Task 1: Jul 09 01:40:58.969: ldapInitAndBind [1] called lcapi_init (rc = 0 - Success)
*LDAP DB Task 1: Jul 09 01:41:00.969: ldapInitAndBind [1] configured Method Anonymous lcapi_bind (rc = 1005 - LDAP bind failed)
*LDAP DB Task 1: Jul 09 01:41:00.969: ldapClose [1] called lcapi_close (rc = 0 - Success)
*LDAP DB Task 1: Jul 09 01:41:00.969: LDAP server 1 changed state to IDLE
*LDAP DB Task 1: Jul 09 01:41:00.969: LDAP server 1 changed state to RETRY
*LDAP DB Task 1: Jul 09 01:41:00.969: LDAP_OPT_REFERRALS = -1
WLC GUI Log:
*LDAP DB Task 1: Jul 09 02:56:13.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
*LDAP DB Task 1: Jul 09 02:56:11.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
*LDAP DB Task 1: Jul 09 02:56:09.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
LDP Message of LDAP BaseDN:
Expanding base 'CN=Frankie F. Yeung,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk'...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn: CN=Frankie F. Yeung,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk
4> objectClass: top; person; organizationalPerson; user;
1> cn: Frankie F. Yeung;
1> sn: Yeung;
1> givenName: Frankie;
1> initials: F;
1> distinguishedName: CN=Frankie F. Yeung,OU=OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk;
1> instanceType: 0x4 = ( IT_WRITE );
1> whenCreated: 8/10/2011 10:28:14 China Standard Time China Standard Time;
1> whenChanged: 8/10/2011 10:31:26 China Standard Time China Standard Time;
1> displayName: Frankie F. Yeung;
1> uSNCreated: 3850555;
1> uSNChanged: 3850571;
1> name: Frankie F. Yeung;
1> objectGUID: 6ebfc7e9-6989-4f11-bae7-62c23af67edc;
1> userAccountControl: 0x10200 = ( UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD );
1> badPwdCount: 0;
1> codePage: 0;
1> countryCode: 0;
1> badPasswordTime: 0;
1> lastLogoff: 0;
1> lastLogon: 0;
1> pwdLastSet: <ldp error <0x0>: cannot format time field;
1> primaryGroupID: 513;
1> objectSid: S-1-5-21-3867848445-1581729766-1247451615-2172;
1> accountExpires: <ldp error <0x0>: cannot format time field;
1> logonCount: 0;
1> sAMAccountName: fckyeung;
1> sAMAccountType: 805306368;
1> userPrincipalName: [email protected];
1> objectCategory: CN=Person,CN=Schema,CN=Configuration,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk;
Hope I can resolve this problem ASAP, thanks!Your AD is in the Staff Vlan so maybe the WLC uses the Staff interface instead of management to contact the AD. I don't know how you sniffed exactly.
The comment about eap methods you saw is when you use LDAP with dot1x security. It is the same as saying "You cannot do peap-mschapv2 or eap-fast-mschpv2 with LDAP".
But you can do LDAP for web authentication, that has no eap methods.
Your original problem was a binding problem from the WLC, so we can expect that the WLC really is sending traffic towards AD. -
Hi.
Is it possible to use external LDAP server for my UCM server without using external LDAP server for my admin server?
That is I have a domain with admin server and UCM server.
My admin server doesn't have external LDAP.
So is it possible to use external LDAP server for my UCM server in such situation?
And if it is possible, could you give me some information about it?
(sorry for my english)First of all, thank you for links.
But I have a problem: I configured my own LDAP provider and I can see that 'Connection State' is good (5 out of 5 connections are good), but I can not log in into UCM with users in my LDAP (Invalid Credentials. Please try entering your user name and password again.).
Here is my LDAP provider configuration:
Provider Name: MyLDAP
Provider Description: MyLDAP
Connection State: 5 out of 5 connections are good
Last Activity Date: 12/17/12 4:23 PM
Provider Type: ldapuser
Provider Class: intradoc.provider.LdapUserProvider
Provider Connection: intradoc.provider.LdapConnection
Source Path: MyLDAP
LDAP Server: localhost
LDAP Suffix: dc=example,dc=com
LDAP Port: 10389
Number of connections: 5
Connection timeout: 10
Priority: 1
Credential Map:
SSL Enabled: No
Attribute Map: uid:dFullName
Role Prefix: ou=groups
Default Network Roles: guest
Filter Groups: Yes
Use Full Group Name: No
LDAP Admin DN: uid=admin,ou=system
And my LDAP structure:
"dc=example,dc=com"
_____"ou=groups,dc=example,dc=com"
__________"cn=Administrators,ou=groups,dc=example,dc=com"
__________"cn=admin,ou=groups,dc=example,dc=com"
_____"ou=people,dc=example,dc=com"
__________"uid=asdasd,ou=people,dc=example,dc=com"
__________"uid=qweqwe,ou=people,dc=example,dc=com"
In 'cn=Administrators' entry I have 'uniqueMember:uid=asdasd,ou=people,dc=example,dc=com' property
In 'cn=admin' entry I have 'uniqueMember:uid=qweqwe,ou=people,dc=example,dc=com' property
Nevertheless I can't log in into UCM with users in my LDAP (Invalid Credentials. Please try entering your user name and password again.).
Could you show me my mistake?
Edited by: Michael Baygeldin on Dec 17, 2012 5:34 AM -
AD LDAP for Authentication but ABAP or IDM for Role Assignments
Hi Portal Gurus,
Is it possible to configure the UME in such as way so that it connects to the AD for authentication purposes but uses the CUA or SAP Identity Manager for role assignments?
Thanks,
VibhuHi,
Thanks for the suggestion. But ours was a different problem.
The issue was with a faulty reconciliation job that had been fixed. But it had done its damage before the fix and this caused the inconsistent behavior.
During the reconciliation job (to update changed and add new backend roles in IDM) various task trigger attributes get disabled and then re-enabled after the import. These disabled triggers did not get re-enabled for the privileges on some systems. And the reconciliation job was also delta enabled, so only new privileges, after the initial load, should have been impacted. But impact to many privileges -- all privileges of some target systems -- misled our investigation. The timing of the reconciliation job executions kind of added to the confusion and inconsistencies during the initial setup. But we finally tracked this down and wrote a custom job to fix the triggers for only the affected privileges. Assignments to all systems started to function successfully as expected.
Best regards,
Ashok -
Setting up LDAP for authentication to portal:default property set named "ldap
Hi
I am trying to implement the LDAP authentication to WebLogic Portal .Iam went
thru the docmentation ( http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824).It
mentions using the default property set named "ldap" and deploying ldapprofile.jar.My
quenstion is:
-Is there a way to look into the property using EBCC
- Apart from deploying,configuring the ldapprofile.jar,do I have to do any additional
steps in order to make my portal(say,stockportal) authenticate users from LDAP?
-If a create my own portal,should I create a similar "ldap" property set?If so,how.
Any suggestions/help is appreciated.Thanks
- MikeThanks Dave.
"David Anderson" <[email protected]> wrote:
You should be able to view the property set for LDAP through the EBCC
if you
have the propertysetws.jar installed in your Portal domain. This provides
the ability for the EBCC to retrieve property set information from your
server.
Dave
"mike" <[email protected]> wrote in message
news:[email protected]...
Hi Adrian
Thank you for the pointers.Much appreciate it.However,one questionstill
persists.
What is the significance of the property set "ldap" mentioned in the
document(http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824).Where
does this property set feature vis-a-vis setting up LDAP securityrealm;does it
mater prior to/after the setting up as mentioned in the document pointeryou just
gave .
Is it sufficinet that i follow the procedure to set up the LDAP oris
there more
to post setting,like creating a property set (similar to "ldap" orcloning
it)
apaprt frpom deploying ldapprofile.jar.
Thanks.
- Mike
"Adrian Fletcher" <[email protected]> wrote:
Mike,
The documentation that covers LDAP authentication is listed under
Weblogic
Server rather than Weblogic Portal.
See Configuring the LDAP Security Realm in Managing Security
(http://e-docs.bea.com/wls/docs61////adminguide/cnfgsec.html#1071872)
Also take a look at the FAQ - Why can't I boot WebLogic Server whenusing
the LDAP Security Realm?
(http://e-docs.bea.com/wls/docs61//faq/security.html#25833)
Hope this helps,
Sincerely,
Adrian.
Adrian Fletcher.
Senior Software Engineer,
BEA Systems, Inc.
Boulder, CO.
email: [email protected]
"mike" <[email protected]> wrote in message
news:[email protected]...
Hi
I am trying to implement the LDAP authentication to WebLogic Portal.Iam
went
thru the docmentation
http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824).It
mentions using the default property set named "ldap" and deployingldapprofile.jar.My
quenstion is:
-Is there a way to look into the property using EBCC
- Apart from deploying,configuring the ldapprofile.jar,do I have
to
do any
additional
steps in order to make my portal(say,stockportal) authenticate usersfrom
LDAP?
-If a create my own portal,should I create a similar "ldap" propertyset?If so,how.
Any suggestions/help is appreciated.Thanks
- Mike -
Regarding SAP CUA vs Corporate LDAP for authentication purposes
Hello All:
Could anyone please give more information about SAP CUA and the corporate LDAP? Please suggest which is more advantageous and what is the cost involved in each of these. These are the options for the authentication of SAP Enterprise Portal in our system here. We want to figure out which has more advantages over the other one.
Thanks,
LBueggHello all,
Appreciate your response for this query. We need to figure out the options soon. Its kind of urgent.
Thanks again..
L Buegg. -
OWSM won't connect to ldap for authentication in policy
System: 10.1.3 on Windows with SOA Suite
I've got a web service deployed, got OWSM running, have registered the web service with a gateway component and have built a basic policy (just to log) in the Pipeline "request" and Pipeline "Response" parts of the governing policy; this basic policy works correctly. However, when I try to add an "Ldap Authenticate" step to the Pipeline "Request" part of the policy, OWSM doesn't seem to really try to connect to the LDAP. I have tried two LDAPs (Lotus Notes and OID) that are operational - I can access both of them via command line using the same credentials with which I configured the "Ldap Authenticate" step. Yet, when I invoke the web service with the "Ldap Authenticate" step configured in the policy I get the following exception:
A fault was thrown in the step Client.AuthenticationFault:Invalid username or password
I'm pretty dang sure I have entered the correct credentials in the "Ldap Authenticate" configuration (I checked it 45,000 times) - it seems that OWSM really isn't trying to connect to the LDAPs - and there's no logging that I've found that will tell me what it's really trying to do.
Anyone have any hints or know what's going on?I have the same problem.
With the help of Vikas's instuctions for changing log level I could log the gateway's activities:
security.WSBasicCredsExtractor - Element Value:farbod
security.WSBasicCredsExtractor - Element Value:mypassword
security.WSBasicCredsExtractor - Successfully retrieved username and password
security.WSBasicCredsExtractor - Removing the UsernameToken Header
ldap.DirContextHolder - Creating new directory context
ldap.LDAPAuthenticatorStep - Failed to connect to ldap server.
I am unsure whether my LDAP settings in OWSM are correct:
my server name is nfsserver.com(OID Server) and I have this user in OID:
cn=farbod,cn=Users,dc=nfsserver,dc=com
so I think these settings should work:
LDAP host (*) nfsserver
LDAP port (*) 389
User objectclass (*) inetOrgPerson
LDAP baseDN (*) cn=Users,dc=nfsserver,dc=com
LDAP adminDN (*) cn=orcladmin,cn=Users,dc=nfsserver,dc=com
LDAP admin password ******
LDAP admin login enabled (*) true
Uid Attribute (*) string uid
User Attributes to be retrieved uid
Is the bold part correct?
Regards
Farbod -
Hey Guys,
I noticed that when a group memebership change sin LDAP, it takes some time for the changes showup on the portal. I think that the portal caches the LDAP membership and refreshes it from time to time. Does anybody what the default value is? And is there a way to chnage this frequency of refresh?
Thank You
MadhaviMadhavi,
Default timeout is 2.5 mins(150000 ms). You can set the PageTimeout property in Page Editor.. For more information, pls take a look at the following link.
http://help.sap.com/saphelp_nw04/helpdata/en/b4/12083e7623445ae10000000a11405a/frameset.htm
In your case, you can check the par file and change the setting..
Hope, this helps
Jojo -
Authentication in weblogic portal server 8.1 sp2 using external LDAP
Hi,
I am trying to use external LDAP for authentication.
I have configured the ActiveDirectoryAuthenticator giving the necessary
values
( and added
"-Dcom.bea.p13n.usermgmt.AuthenticationProviderName=ActiveDirectoryAuthentic
ator" in startWeblgoic.cmd )
and can see the users and the groups from my LDAP provider in the admin
console and in the admin portal's "users and groups".
A set of users are given permission to access the restricted site and those
users are visible in the global role with the permission.
The web.xml is configured for BASIC auth-method, and the role is
<externally-defined/> in weblogic.xml.
Now when I access a restricted page, I am shown a dialog prompt to key in
the username and password.
Even when I key in the valid credentials, the restricted page is not shown
and an "Unauthorized xxx" 401 access error is thrown.
Any clue, on what i am missing.?
Please let me know if any suggestion / idea.
Regards,
Arun.Assuming your application is a WebLogic Portal application, then yes you would definitely need to install WLP 8.1. WLP version 8.1 is the only version of WLP that will run on WLS/WLW version 8.1.
In order to obtain the product installer, you'll need to contact Oracle Support and file a request. It is not available for download from any Oracle public site. Only version 10.3 is available for download.
Brad -
Can I map iwtUser-role to an attribute in external LDAP???
Hi,
I am using external LDAP for authentication. In the Ext. LDAP I am using
there is an attribute named title in every user cn. I want to use this
attribute for portal to decide which role the user belongs to. I mapped
iwtUser-role to title in Ext. LDAP configuration. When I go to console I
see user(s) under the roles defined in title attribute(in Ext. LDAP).
From console if I try to change the desktop profile of a role and check
'apply changes to all subroles', it's not applying changes to all users
who have the title as that role (even though when I go to that user(s),
I see them under the right tole). However, when I look at the
iwtUser-role attribute in profile LDAP using a LDAP browser it shows
/domainname/defaultRole which is not the value mapped (in Ext. LDAP). Do
you have any idea why it is happeing? I would like to know if mapping
iwtUser-role to an attribute in Ext. LDAP is right thing in the first
place (I am doing this because the Ext. LDAP is already populated, I
have no roles in that, all users are at same level and I have permission
to change title attribute only in Ext. LDAP).
Thanks,
Siva Kancheti.Block off the default role if you don't want anyone going into that role but only
the ones defined. You can do this by setting the filter to a value that will return
nothing. (example, title=nonexistant), since the search filter will not return
results, no one will be placed in that role (otherwise have to manually go into that
role and 'move' users).
Hope this helps,
Manon
Siva kancheti wrote:
Hi,
I am using external LDAP for authentication. In the Ext. LDAP I am using
there is an attribute named title in every user cn. I want to use this
attribute for portal to decide which role the user belongs to. I mapped
iwtUser-role to title in Ext. LDAP configuration. When I go to console I
see user(s) under the roles defined in title attribute(in Ext. LDAP).
From console if I try to change the desktop profile of a role and check
'apply changes to all subroles', it's not applying changes to all users
who have the title as that role (even though when I go to that user(s),
I see them under the right tole). However, when I look at the
iwtUser-role attribute in profile LDAP using a LDAP browser it shows
/domainname/defaultRole which is not the value mapped (in Ext. LDAP). Do
you have any idea why it is happeing? I would like to know if mapping
iwtUser-role to an attribute in Ext. LDAP is right thing in the first
place (I am doing this because the Ext. LDAP is already populated, I
have no roles in that, all users are at same level and I have permission
to change title attribute only in Ext. LDAP).
Thanks,
Siva Kancheti. -
External LDAP + Roles in portal
Folks,
I use weblogic 8.1 portal.
Can we use an external LDAP for storing portal roles? If so, what is supported,
recommended, etc. Does BEA have a recommendation/document on how to support an
environment with multiple domains that share a common LDAP so that we don’t have
to keep them all sync.
Thanks
- LaraLara,
The WLS SSPI (plug-in provider architecture) allows you to add additional
role mappers, however the WLS out-of-the-box authorizer and role mapper are
still required for WLP. Also, in a WLS domain/cluster each managed server
has a copy of the LDAP which is automatically kept in sync by the admin
server.
-Phil
"Lara Man" <[email protected]> wrote in message
news:3f78852c$[email protected]..
>
Folks,
I use weblogic 8.1 portal.
Can we use an external LDAP for storing portal roles? If so, what issupported,
recommended, etc. Does BEA have a recommendation/document on how tosupport an
environment with multiple domains that share a common LDAP so that wedon't have
to keep them all sync.
Thanks
- Lara -
Retrieve parameters from LDAP using authentication module
I have existing LDAP that contains organization people and their attributes. I have several web applications that use existing LDAP for authentication and authorization. My goal is to deploy single sign-on with openSSO so that users are authenticated against existing LDAP. Changing of the existing LDAP is forbidden.
I deployed newest stable OpenSSO and Apache2 + newest policy agents to web service servers.
OpenSSO server uses LDAP authentication module to authenticate users against existing LDAP. It uses flat file data repository and realm attributes -> user profile is ignored.
This basic setup works fine. The next step is to integrate existing web applications to single sign-on system. The authentication part works fine. I just disabled old mechanism from web applications that did the LDAP authentication. OpenSSO and Apache Policy agent are handling that part.
The existing web applications are still querying existing LDAP other attributes there than uid and userpassword. Is it possible to configure OpenSSO to forward LDAP attributes to web application as cookie or header value? Or is the forwarding feature only for attributes in Data Store?
If the forwarding is not possible what is the next best alternative ?OpenSSO forum is quite silent so I'm back with you guys.
I managed to solve the agent error log problem I mentioned before. The problem was about nonexisting attributes in AMAgent.properties com.sun.am.policy.agents.config.profile.attribute.map. I removed extra attributes and the authentication against LDAP started to work again.
The problem is that no attributes are forwarded from LDAP to web application. I have tried HTTP_COOKIE and HTTP_HEADER settings in AMAgent.properties and com.sun.am.policy.agents.config.profile.attribute.map is set to cn|common-name,mail|email.
My LDAP looks like this:
# testuser, pollo.fi
dn: cn=testuser,dc=pollo,dc=fi
cn: testuser
objectClass: organizationalPerson
objectClass: inetOrgPerson
givenName: Test
sn: User
ou: People
uid: testuser
mail: [email protected]
And my datastore configuration:
LDAP server->localhost:389
LDAP bind DN->cn=admin,dc=pollo,dc=fi
LDAP organization DN->dc=pollo,dc=fi
Attribute name mapping->empty
LDAP3 Plugin supported types and operations->agent,group,realm,user all read,create,edit,delete
LDAP3 Plugin search scope->scope_sub
LDAP Users Search Attribute->uid
LDAP Users Search Filter->(objectclass=inetorgperson)
LDAP User Object Class->organizationalPerson
LDAP User Attributes->uid, userpassword
Create User Attribute Mapping->empty
Attribute Name of User Status->inetuserstatus
User Status Active Value->Active
User Status Inactive Value->inactive
LDAP Groups Search Attribute->cn
LDAP Groups Search Filter->(objectclass=groupOfUniqueNames)
LDAP Groups container Naming Attribute->ou
LDAP Groups Container Value->groups
LDAP Groups Object Class->top
LDAP Groups Attributes->cn,description,dn,objectclass
Attribute Name for Group Membership->empty
Attribute Name of Unqiue Member->uniqueMember
Attribute Name of Group Member URL->memberUrl
LDAP People Container Naming Attribute->ou
LDAP People Container Value->people
LDAP Agents Search Attribute->uid
LDAP Agents Container Naming Attribute->ou
LDAP Agents Container Value->agents
LDAP Agents Search Filter->(objectClass=sunIdentityServerDevice)
LDAP Agents Object Class->sunIdentityServerDevice,top
LDAP Agents Attributes->empty
Identity Types That Can Be Authenticated->Agent,User
Authentication Naming Attribute->uid
Persistent Search Base DN->dc=pollo,dc=fi
Persistent Search Filter->(objectclass=*)
Persistent Search Maximum Idle Time Before Restart->0
Should I enable some setting still to get the forwarding going on? Any ideas for debugging? -
External LDAP - Configuring the External LDAP to the Weblogic Server 10.3.3
I m new to LDAP concepts. Is there any documentation link to configure any of the External LDAP for WLS 10.3.3?
Where can I download to install the Extarnal LDAP?
ThanksTo use Active Directory for quick testing with Weblogic, you can use either Suns Sun One Active Directory Server or OpenLDAP which is an open source LDAP. We use OpenLDAP on unix and configure this with WLS. All our users are in OpenLDAP. Try googling around like "OpenLDAP Download" or "Sun One Directory Server" etc. All these are LDAP sources with very minor differences (Some extra attributes here and there). Configuration wise all are same from WLS point of view. We define LDAPs Host, Port, admin useranme/password, User basedn and Group basedn. These are minimum things we need to know upfront.
Thanks
Ravi Jegga -
Custom user name mapper needs external LDAP connection.
I have a custom user name mapper that needs to connect to our external LDAP. Our security realm is configured to connect to the external LDAP for users and groups. Is there a way to reuse this connection in the custom user name mapper?
I have a custom user name mapper that needs to connect to our external LDAP. Our security realm is configured to connect to the external LDAP for users and groups. Is there a way to reuse this connection in the custom user name mapper?
-
Anyone configured OID with weblogic as external LDAP
Hey,
I need help from someone who configured Oracle Internet Directory with weblogic 7 or any version to us as external LDAP server.
Your Help is greatly appreciated.
Thanks & Best Regards,
NagendraI was able to use OID as external LDAP for my Weblogic. I was able to move the stuff from Weblogic Embedded LDAP to Oracle Internet Directory Server, I have done it by myself
Thanks
Nagendra
Maybe you are looking for
-
SunMC Container Manager - Can't get to it
Hi everyone, I have a small problem that is driving me crazy. I installed Solaris Management Center 4.0 on a T-5120 running Solaris 10 update 6. I can log into https://<server>:6789 which is the Java Web Console. If I try to log into https:// <server
-
Hi! friends I got a problem on my trigger. I use trigger to solve working flow control. Today,I have a problem,My Trigger program body is too large cause pls-00123 error. I look for solution on document. It said to modualize my trigger. But How to us
-
My icloud'mail is often disconnected
I don't why my acount iCloud is often disconnected in Mail / MacBook Pro?
-
Don't understand result of output
Hello .I'm quite new in Java and i'm stuck on this exercise.I try to understand the output but i don't really get this one.Can someone explain to me in steps why output is as it is :) it wold help me a lot. import java.util.ArrayList; class Uppgift2{
-
Everytime I use Photoshop CS5, at some point all of the menu items get greyed out and don't come back unless I quit and reopen Photoshop. There doesn't seem to be anything that triggers it. All the keyboard shortcut and the mouse and tools work fine